Applications and Benefits of Elliptic Curve Cryptography

Curve Cryptography

Krists Magons

University of Latvia, Faculty of Computing, Rain¸a bulv¯aris 19, Riga, LV-1586, Latvia km10054@lu.lv

Abstract. This paper covers relatively new and emerging subject of the elliptic curve crypto systems whose fundamental security is based on the algorithmically hard discrete logarithm problem.

Work includes the study of the following issues: mathematical background of the elliptic curve crypto systems, discrete logarithm problem, practical use cases in the industry, common implementation mistakes, performance comparison of elliptic curve and RSA crypto systems etc.

The conclusion contains a brief summary of the elliptic curve cryptosystem prac- tical applications, the potential practical benefits and disadvantages with respect to the widely used RSA crypto system.

1 Introduction

The origins of asymmetric cryptography are associated withWhitfield DiffieandMartin Hellmanfamous 1976 publication that launched the revolution in cryptography [1, 2].

That publication pointed out a number of algorithmically hard problems such as the discrete logarithm problem. Afterwards the foundation of modern public key cryptogra- phy was defined. One of the most significant results was the discrete logarithm problem which is used in several crypto systems likeDSA,ECDH, as well as virtually in any elliptic curve based crypto system design. The problem is easily to define:

G – finite cyclic group,g – generator of G,a ∈G,find natural number s, such as g^s =a, if s exists[1]. It is believed that such issue is an algorithmically hard prob- lem, which means that there is no general algorithm that solves the discrete logarithm problem in polynomial time.

In this paper the author reviews the practical use of the elliptic curve public key crypto systems which are based on the discrete algorithm problem. Elliptic curves are studied for more than a century [3] and are used not only in cryptography, but also in the fields of computer science such as coding theory, pseudo-random number generation and others [3].

The origins of the elliptic curve cryptography date back to 1985 when two scientists N. Koblitz and V. Miller came up with the idea that it is possible to use the set of points defined by an elliptic curve over finite prime field in the crypto systems whose security is based on the discrete logarithm problem. Elliptic curve based crypto systems versus those crypto systems which are based on the integer factorization problem offer significant advantages because the known methods for computing the discrete logarithm

are not feasible to be practically used on the elliptic curve based crypto systems. One of the most important practical benefits is significantly reduced key sizes compared to other crypto systems. For instance, from the security standpoint elliptic curve based crypto system with key length of 163 bits is comparable toRSAbased cryptosystem whose key length is equivalent to 1024 bits [4].

2 Elliptic Curves Over Finite Prime Field F

LetFpbe a finite prime field that contains exactlyp elements and pis an odd prime number. For each odd prime numberpexists exactly one finite prime fieldFp, however, the representation of field elements may vary [5].

Ifa,b ∈Fpand 4a³+27b²6≡0(mod p)then the elliptic curve overFpis the fol- lowing set of points [6]:

E(Fp) ={(x,y)} ∈Fp2|y²≡x³+ax+b(mod p)∧4a³+27b²6≡0(mod p)∧a,b,y,x∈ Fp} ∪ {O^{}, where}Ois the point at infinity

The number of elements #E(Fp), inE(Fp)is equal to the number of points of elliptic curve overFp. According to theHasse Theorem#E(Fp)belongs to the interval [5] :

p+1−2√

p≤#E(F_p)≤p+1+2√ p

It is proved that the elements ofE(Fp)form abelian group. The number of elements

#E(Fp)inE(Fp)is called the order of group. The order of group can be algorithmi- cally determined by taking full scan of elements inO(p)time, however, there are more efficient algorithms available, for instance, theSchoof ’salgorithm [7, 8].

2.1 The Algebraic Definition of Addition Operation inE(Fp) The addition operation inE(Fp)is defined by the following axioms [5]:

1. O⁺O⁼O

2. ∀(x,y)∈E(Fp):(x,y) +O⁼O^{+ (x,y) = (x,y)} 3. ∀(x,y)∈E(Fp):(x,y) + (x,−y) = (x,−y) + (x,y) =O

4. (x₁,y₁)∈E(Fp),(x₂,y₂)∈E(Fp),x₁6=x_2,,then(x₁,y₁) + (x₂,y₂) = (x₂,y₂)+(x₁,y₁) = (x₃,y₃)

5. x₃≡λ²−x₁−x₂(mod p) 6. y₃≡λ(x₁−x₃)−y₁(mod p) 7. λ≡^y_x^2−y1

2−x₁(mod p)

8. (x₁,y₁)∈E(Fp)y₁6=0(x₁,y₁) + (x₁,y₁) = (x₄,y₄) 9. x₄≡λ²₂−2x₁(mod p)

10. y4≡λ₂(x₁−x₄)−y₁(mod p) 11. λ2≡^3x_2y^21+a

1 (mod p)

2.2 The Algebraic Definition of Scalar Multiplication Operation inE(Fp) Crypto systems based on elliptic curves overFplargely utilize the scalar multiplication operation. LetPbe a point of an elliptic curve overFp,n∈N,then the scalar multipli- cation is defined as addition ofP n-times [8]. The result is denoted asnP.nP=

n

∑

i=1

P, where addition is theE(Fp)addition operation. The scalar multiplication operation can be effectively carried out inO(logn)time by using the addition operation axioms and algorithms such asDouble and Addalgorithm [8].

2.3 Cyclic Subgroups ofE(Fp)

By examining an elliptic curve over fixed prime fieldFp, it is easy to observe that the set of all scalar multiplications of given point P forms a cyclic subgroup ofE(Fp)[8, 9].

The pointPis called the generator of subgroup. The order of subgroup is the smallest non-negative number n∈N such thatnP=O. It is not possible to use theSchoof ’s algorithm to find the order of subgroup [7, 8]. To find the order of cyclic subgroup it is required to use theLagrange’s theoremon subgroup order which states that for any finite groupG, the order of every subgroupHofGdivides the order ofG[9].

In practice it is important to use cyclic subgroups with maximum possible order. In order to construct an elliptic curve based crypto systems, the curveE and underlying fieldFp are fixed, the order ofE(Fp)is calculated by usingthe Schoof ’salgorithm, then the largest maximum prime factorn of #E(Fp)should be chosen as an order of cyclic subgroup [8]. To find a suitable group generator element (point on the curveE), calculate the cofactorh=#E(Fp)/n, randomly select an elementHofE(Fp). IfhH6=

O^{, thenH}is the generator of cyclic subgroup, otherwise repeat the previous step [8].

3 The Discrete Logarithm Problem

If all the points of an elliptic curve over finite prime field Fp form a group E(Fp) andPis one of the points of the curve andn∈N, then the scalar multiplicationnPis called the discrete exponent at basePand powern. Discrete exponents have significant properties similar to classic exponents. [10]. For the discrete logarithm problem based crypto systems the following property is very important:

(n+m)P=nP∗mP,where n,m∈N∧P∈E

The question: given points Q∈E(Fp),P∈E(Fp) find positive integer n such that Q=nPif such n exists. As mentioned in previous chapters, the elliptic curve cryp- tography utilizes the cyclic subgroups ofE(Fp), so it is clear that thenmust be in the range0 ≤n<#hPi,where #hPiis the order of cyclic subgroup generated byP. The numbernis the discrete logarithm of baseP. It is proved that discrete logarithms, like discrete exponents, have similar characteristics to the classic logarithms of real numbers [10]. We can use familiar notation:n=log_P(Q),when Q=nP. Significant property of discrete logarithms [10]:

log_P(h∗j)≡log_P(h) +log_P(j) (mod#hPi)

There is no such polynomial time algorithm which computes discrete logarithms for all cases. It should be noted that no proofs are available which states the non existence of such algorithm. In practice, exponential time algorithms are available [1, 3, 10] which compute discrete logarithms for cyclic subgroup G of E(Fp). For instance,Shank’s Baby-Steps, Giant-Stepsalgorithm computes discrete logarithms in√

#G steps where each step is one group addition operation [3] . Another algorithm is the Pollard p-method which computes discrete logarithms in approximately

√πn

2 steps where nis the order of subgroupG[3]. The mentioned algorithms are two of the best known methods of computing discrete logarithms for elliptic curve based crypto systems.

To ensure maximum security of the crypto system (to increase the time required to solve the discrete logarithm problem), elliptic curve and underlying finite prime field must be properly selected. For instance, if #E(Fp) =pthen there is an algorithm available which computes discrete logarithms inO(logp)time [11].

Despite the fact that virtually all public key cryptography solutions can be imple- mented by using the popular RSA crypto system, crypto systems based on the discrete logarithm problem have several advantages over the integer factorization problem based crypto systems like RSA [10]:

• Technical advantages. If there are two algorithms which provide similar functio- nality, but one is based on the elliptic curve crypto system, while the other on the RSA crypto system, the first case of solving discrete logarithms isharderas integer factorization in the second case. The benefit is obvious. Discrete logarithm-based crypto systems have significantly smaller key sizes compared to RSA [10].

• Potential patent issues related to the RSA algorithms [10].

• Mathematical backgrounds. Possibility to improve the existing RSA crypto system security by introducing additional data-protection algorithms based on the discrete logarithm problem.

4 Crypto Systems Based on Elliptic Curves

Algorithms of cryptosystems based on elliptic curves use tuples of parameters to define an underlying curveE. E=(p, a, b, P, n, h) wherepis a prime number which determines the finite prime field, a andb are coefficients of the curve,P – point on the curve, generator of cyclic subgroup,n– order of subgroup,h– cofactor of subgroup [5, 12].

As mentioned, there are classes of elliptic curves which are considered unsafe for use in cryptography. For instance, there areweakelliptic curves which allow calculation of discrete logarithms in polynomial time [11, 12]. To prevent malicious use of ellip- tic curves in the implementations of crypto systems, the curve coefficientsa,band the subgroup generatorPcan be randomized by using hash functions. In such cases, the set of curve parameters is extended by adding probabilistic numbers, which is used to generate parametersa,bandP. An elliptic curve with probabilistic parametersis de- noted as verifiably random elliptic curve [12]. The generation of verifiably random curves is standardized, there are different methods of selecting the most appropriate hash function to generate the curve.

Although such approach provides relative protection against maliciously selected elliptic curves, however, there are certain risks involved, such as security and reliability of hash function being used to generate the curve parameters.

General key generation in elliptic curve based crypto systems:For an elliptic curve E = (p,a,b,P,n,h) , there are key pairs(d,Q), where d is the private key which is natural number from the interval[1,n−1]and Q is the point of an elliptic curve which is the public key Q= (x_q,y_q) =dP[5].

4.1 ECDH Crypto System

ECDH(Elliptic Curve Diffie-Hellman) is the version ofDiffie-Hellmankey exchange algorithm for elliptic curves, which determines the method how two communication participantsAandBcan generate key pairs and exchange their public keys via insecure channels. The algorithm determines only the method how key pairs are generated, the user defines the relation between encryption keys and data to be encrypted [7, 12]. After the keys have been exchanged it is common to use symmetric encryption methods. In practice,ECDH crypto system can be successfully adapted to different data security solutions [7].

TheECDHalgorithm:Given an elliptic curve over finite prime field E(Fp). Com- munication participants A and B agree on a point Q∈E(Fp), which is freely available in the communication medium. The participant A secretly chooses probabilistic posi- tive integer kA,calculates kAQ and sends it to the party B. The member B also selects probabilistic positive integer kB, calculates kBQ and sends it to the participant A. The shared secret P=kAkBQ.

The participant A calculates P, by multiplying the received point k_BQ with the secret private key k_A. The participant B respectively calculates P by multiplying the received point k_AQ with the secret private key k_B[12].

After the public key exchange, one of the most typical methods how the encrypted messages are synchronized is the version ofElGamalcrypto system for elliptic curves [1].

As the setE(Fp)is finite there is a limited set of information which could be en- crypted by using points of the curve [1]. Also, there are no practical methods available to deterministically generate points of the given curve [1].

The problem can be solved by creating relation between thex-coordinate of given curve point P∈ E(Fp)and a field Fp element that may not be a point on the curve [1]. There are algorithmsCompress PointandDecompress Pointavailable which allow reduction of the amount of memory required for storing the curve points in the computer memory by two times. It is possible to clearly identify the curve pointP = (xy)by specifiying the x-coordinate of point P and parity bit b.b ≡y(mod2)[1].

4.2 ECDSA Crypto System

ECDSA (Elliptic Curve Digital Signature Algorithm)isDSA(Digital Signature Algo- rithm) digital signature standard analogue for elliptic curves. LikeDSA, the goal of ECDSAis to provide verifiable digital signatures for data messages.ECDSAstandard was approved in 2000 asNIST FIPS 186-2[1].

The author signs the data message by using his private key. The digital signature is added to the content of the message and can be freely validated by using the message author’s public key.

Private keys are generated very much alike toECDHcrypto system. IfPandQare two points on an elliptic curve, then the private key is the discrete logarithm m=log_PQ [1].

Algorithm of adding digital signatures works as follows:Participants A and B agree on a set of curve E(Fp) parameters E =(p, a, b, P, n, h). Let us suppose that the participant A wants to sign the message z∈Nand the participant B wants to validate the digital signature of the received message by using the participant’s A public key.

Computing the digital signature:

1 The participant A selects arbitrary integer k from the interval [1; n-1] where n is the order of cyclic subgroup hPi of E(Fp).

2 The participant A computes the point Q=kP.

3 The participant A computes r≡x_Q(mod n),where x_Qisthe x−coordinate o f Q.

4 If r=0, A repeats the previous step.

5 The participant A computes s≡k⁻¹(z+r∗k_A) (mod n), where k_Ais the private key of A.

6 If s=0, choose different random k∈[1; n-1] and repeat the algorithm.

7 The tuple (r, s) is the digital signature [12].

Verification of digital signature:

1. The participant B computes i≡s⁻¹∗z(mod n).

2. The participant B computes j≡s⁻¹∗r(mod n).

3. The participant B computes the point Q=iP+jK’_A, where k’_Ais the public key of A.

4. The digital signature is valid if and only if r≡x_Q(mod n)[12].

TheECDSAcrypto system standard is widely used in practice. Along with theECDH crypto system,ECDSAis being used in various network cryptographic protocols such asSSLandTLS, smart card solutions, embedded systems etc.

5 Typical Implementation Issues

Implementation issues of elliptic curve based crypto systems can be divided into four abstract categories.

The first category includes technical errors with regard to hardware and software implementations in the form of lack of authentication, inadequateRAMand media pro- tection, errors in algorithms, incorrect network infrastructure etc. For those security problems it is common that the sensitive information, including private encryption keys, can come at the disposal of third parties without attempts of breaking the fundamen- tal security background of the crypto system but by accessing the information directly

through the hardware and software security holes. This is the most common implemen- tation issue and is not related to the security of the fundamentals of crypto system. It is associated with insufficient software testing and computer system security audits.

The second type of implementation issues is associated with the selection of under- lying elliptic curves and prime fields. As mentioned, there are classes ofweakelliptic curves. For instance, it is possible to solve the discrete logarithm problem in polynomial time for certain class of curves where #E(Fp) =p– the number of points on a curve is equal to the number of elements in a finite field [3, 11]. Also, it is important to select large enough subgroups ofE(Fp)to avoid feasible calculation of discrete logarithms by methods such asPollard-pmethod [1, 13]. To ensure maximum security of the crypto system it is advisable to use verifiably random elliptic curves and prime fields such that the order of group #E(Fp)is divisible by a sufficiently large prime numbernwhere n>2¹⁶⁰[3].

The third type of implementations issues is associated with the performance of E(Fp)group operations like addition and scalar multiplication. It is advisable to use Mersenneprimes, which can significantly improve the performance of the scalar mul- tiplication operation [3]. This result is related to the processor architecture that enables an effective execution of module arithmetic operations with binary representation of the number, which is close to power of two [14]. Also, it is important to select the most appropriate coordinate system to improve the performance of group operations [5]. De- pending on the selected coordinate system, the performance of group operations may vary. For instance, the performance of scalar multiplication can be improved by using Jacobicoordinate system in cases where the scalar multiplication takes place with even number (point doubling) [14]. It is possible to apply theJacobicoordinate system by using the following connection to affine coordinates:Jacobi coordinates represent an affine point (X/Z²,Y/Z³) on elliptic curve y²=x³+ax+b as a point (X:Y:Z), where Y²=X³+aX Z⁴+bZ⁶,Z6=0 [15].

The fourth type of implementations problems is associated with the private key management. It is required to ensure that the private keys are being re-calculated and re-issued on regular basis. Usage of constant private keys seriously increases the risk of keys being intercepted by a third party. The most typical example is the interception of a private key from 2010 withSony PlayStationapplication signature crypto system where a constant private key was used for all issued digital signatures [13].

6 Security of Elliptic Curve Based Crypto Systems Versus RSA

The fundamental security of elliptic curve crypto systems is based on the algorithmi- cally hard discrete logarithm problem. Elliptic curve cryptography is one of the most important practical applications of discrete logarithms nowadays [10].

According to the literature,MIPS (million instructions per second) capable com- puter can execute 4×10⁴E(Fp)group addition operations per second which is approxi- mately 2⁴⁰additions per year [3]. It is clear, that this assumption is hypothetical and in practice may vary due to many factors related to the computer architecture, software and elliptic curve parameters.

Applications and Benefits of Elliptic Curve Cryptography 39 Koblitz, Menezes and Vanstonehave published the assessment of the required com- puting time to solve discrete logarithms byPollard p-method in cyclic subgroups of E(Fp)with various ordersn. The results are summarized in the table below.

Table 1.The Assessment of the Required Computing Time to Solve Discrete Logarithms by Pollard p-method[3]

Size of n (bits)

MIPS (years)

512 3 x 10⁴

768 2 x 10⁸

1024 3 x 10¹¹

1280 1 x 10¹⁴

1536 3 x 10¹⁶

2048 3 x 10²⁰

Pollard p-methodcan be parallelized. Thus, by using multi-processor computer sys- tems, it is possible to reduce the time required to solve discrete logarithms. Theoretical assessment:if 10 000 computers capable of 1,000 MIPS are available and n is 2160, then the calculation of single discrete logarithm takes approximately 85,000 years[3].

There are very specific cryptographic processor architectures available, which pro- vide the hardware level support of execution of parallelizedPollard p-method[5]. How- ever, in practice modern general computers have built-in very capable graphic cards which are easily accessible and very strong cryptographic problem solving devices.

It is obvious that the computation of a single discrete logarithm could lead to the leakage of a single private key. Easy to conclude that in general case the illegitimate private key computation of elliptic curve based crypto systems is extremely expensive operation.

RSA (Rivest, Shamir, Adleman) is the most widely used public-key crypto system [4]. Since its introduction in 1977 [2] it is used around the world on wide range of security system solutions scaling from private users to global corporations.

Opposite to elliptic curve crypto systems, which are fundamentally based on the algorithmically hard discrete logarithm problem, RSA fundamental security is based on the algorithmically hard integer factorization problem which could be defined as follows:given the product n of two primes q, p, find p and q such that n=qp[1].

The mathematical background of RSA is based on elementary modular arithmetic, which is relatively long known and well studied.

Currently, one of the most effective methods of solving the integer factorization problem isGeneral Number Field Sievealgorithm [1]. This algorithm works in sub- exponential time [16]. As mentioned, the best known algorithms for solving the discrete logarithm problem are capable of exponential running time. For comparisons,Koblitz, Menezes and Vanstonehave also published the assessment of the required computing time to solve the integer factorization problem byGeneral Number Field Sievealgo- rithm [3], the results are summarized in the table bellow.

40 K. Magons

Table 2.The Assessment of the Required Computing Time to Solve the Integer Factorization Problem byGeneral Number Field SieveAlgorithm [3]

Size of n (bits)

MIPS (years)

512 3 x 10⁴

768 2 x 10⁸

1024 3 x 10¹¹

1280 1 x 10¹⁴

1536 3 x 10¹⁶

2048 3 x 10²⁰

It is obvious that in general case the discrete logarithm problem is algorithmically harderthan the integer factorization problem. Easy to notice, compared to elliptic curve based crypto systems, RSA keys can be obtained in relatively shorter time. In order to maintain the reasonable level of security, RSA keys must have longer bit length compared to elliptic curve based crypto systems.

6.1 Comparison of Key Generation

Taking into account the relatively high computing resources required to compute dis- crete logarithms, elliptic curve crypto systems allow to significantly reduce size of the encryption keys. The small key size enables faster execution of various cryptographic operations. According to the literature, it is concluded that RSA key generation takes place substantially slower than elliptic curve based crypto systems of comparable level of security [4]. The results are listed on the table below (Please see the publication for details of the experiment):

Table 3.Comparison of Key Generation [4]

Key Size (bits) Generation time (seconds)

ECC RSA ECC RSA

163 1024 0.08 0.16

233 2240 0.18 7.47

283 3072 0.27 9.89

409 7680 0.64 133.90

571 15360 1.44 679.06

Easy to notice, the key generation of elliptic curve based crypto systems is signifi- cantly faster than RSA due to smaller key size. In addition, increasing level of security significantly increases the generation time ratio.

According to the literature, to ensure sufficient protection against elliptic curve crypto system key cracking, it is required to use keys with length of at least 150 bits for temporary security solutions and 180 bits for long term security solutions [3]. To meet the equivalent level of security, RSA keys must be at length of 1024 bits for short

term solutions and 2240 bits for long term solutions. Such RSA keys are not only 6 to 9 times longer, but also their generation is 2 to 40 times slower.

There is a study available that compares elliptic curve based crypto systems and RSA on implementations for 8-bit processor architectures. The authors experimentally observed that there is a fundamental relationship between the processor word length and the key length of crypto system:The relative performance of ECC over RSA increases as the word size of the processor decreases[14].

7 Summary

Despite the several decades long history of the elliptic curve cryptography, there is still a lack of research. The popularRSAcrypto system is more widely studied. A significant lack of research is one of the main reasons why elliptic curve based crypto systems have showed low popularity nowadays. It is possible to conclude that the lack of research is related to the relatively complex mathematical foundation of elliptic curves and lack of interest from the systems developers.

It is expected that elliptic curves will play a growing role in various implementa- tions. As mentioned, the discrete logarithm problem is algorithmicallyharderthan the integer factorization problem, allowing a significant reduction in the public key crypto- graphic key size, thus speeding up a variety of cryptographic operations. Elliptic curve based crypto systems can be effectively used on low resources and power system solu- tions such as smart cards, mobile devices, sensors and so on.

The vast majority of implementation issues of elliptic curve based crypto systems are not directly related to the fundamental security backgrounds. These issues are re- lated to the factors such as faulty software, inappropriate system components, inade- quate private key protection, usage of defective random number generators and crypto- graphic hash functions etc.

Implementation options:

• The most used crypto systems such asECDHandECDSA are standardized and patent free. They are free to use.

• There are availableNISTstandardized elliptic curves for various security require- ments.

• Free access to the extensive information on algorithms for elliptic curves based crypto systems.

Benefits of elliptic curve based crypto systems versus RSA crypto system:

• Key size. The key of an elliptic curve based crypto system takes significantly less memory. The ratio increases rapidly with the increase of security levels. For in- stance, RSA crypto system with the key length of 1024 bits, is equivalent to an elliptic curve crypto system with the key length of 163 bits.

• Cryptographic operations performance. Thanks to the smaller size of keys, the cryp- tographic operations such as key and digital signature generation are carried out sig- nificantly faster. For instance, an elliptic curve crypto system with the key length of 233 bits corresponds to RSA crypto system with the key length of 2240 bits. In the first case the key is generated approximately 40 times faster.

• Resource savings. Due to the smaller key sizes, algorithms of an elliptic curve based crypto systems can be executed on very limited resources.

Disadvantages of elliptic curve based crypto systems versus RSA crypto system:

• Significantly more complex mathematical backgrounds.

• Relatively large group ofweakelliptic curves.

• Lack of research.

References

1. Stinson, D.R.: Cryptography Theory And Practice. 3th edition, Chapman & Hall/CRC, New York (2006)

2. Maurer, U.M., Wolf, S.: The Diffie–Hellman Protocol. In: ”Towards a Quarter-Century of Public Key Cryptography”, Kluwer Academic Publishers, pp. 147–171, Boston (2000) 3. Koblitz, N., Menezes, A., Vanstone, S.: The State of Elliptic Curve Cryptography. In:

”Towards a Quarter-Century of Public Key Cryptography”, Kluwer Academic Publishers, pp. 173–193, Boston (2000)

4. Arrendondo, B., Jansma, N: Performance Comparison of Elliptic Curve and RSA Digital Signatures. IPCSIT vol. 4, IACSIT Press, Singapore (2011)

5. Brown, D.R.L.: SEC 1: Elliptic Curve Cryptography. Certicom Corp (2009) 6. Novotney, P.: Weak Curves In Elliptic Curve Cryptography (2010)

http://ftp.mpir.org/edu/2010/414/projects/novotney.pdf

7. Schoof, R.: Elliptic Curves Over Finite Fields and the Computation of Square Roots. Mathe- matics of Computation vol. 44, pp. 483–494 (1985)

8. Corbellini, A: Elliptic Curve Cryptography: Elliptic Curve Cryptography: finite fields and discrete logarithms (2015)http://andrea.corbellini.name/2015/05/23/

elliptic-curve-cryptography-finite-fields-and-discrete-logarithms 9. Robinson, J.S.D.: An Introduction to Abstract Algebra. Walter de Gruyer GmbH & Co

(2003)

10. Odlyzko, A.: Discrete logarithms: The past and the future. In: ”Towards a Quarter-Century of Public Key Cryptography”, Kluwer Academic Publishers, pp. 129–145, Boston (2000) 11. Silverman, H.S.: An Introduction to the Theory of Elliptic Curves. University of Wyoming

(2006)

12. Corbellini, A.: Elliptic Curve Cryptography: ECDH and ECDSA (2015)http://andrea.

corbellini.corbellini.name/2015/05/30/elliptic-curve-cryptography- ecdh-and-ecdsa/

13. Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic Curve Cryptography in Practice (2014)https://eprint.iacr.org/2013/734.pdf 14. Gura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C.: Comparing Elliptic Curve Crypto-

graphy and RSA on 8-bit CPUs. LNCS, vol. 3156, pp. 119–132. Springer, Heidelberg (2004) 15. Brown, M., Hankerson, D., Lopez, J., Menezes, A.: Software Implementation of the NIST Elliptic Curves Over Prime Fields LNCS, vol. 2020, pp. 250–265. Springer, Heidelberg (2001)

16. Schaefer, E.: An introduction to cryptography and cryptanalysis (2011) http://math.scu.edu/\textasciitildeeschaefe/book.pdf